Accepting Credit Card Online but Processing Offline
I am coding an application for a client.
He wants to accepts credit cards (in a secured fashion) online, but print them out locally or transmit to a fax machine so he can process them offline. This way he can avoid gateway fees and higher online processing fees.
Is this legal? I have been searching the web and have found sketchy evidence suggesting it is.
If this is legal, where can I find the rules governing this?
And thanks for the recommendation empresasdehosting!
Yes it is legal - and actually a lot of hosting companies do it to help protect them a little bit more. They ask the consumer to fax them a credit card authorization form. And it does help potentially to reduce some fraud.
For example, we had a client that the IP address came up in Florida, he said he was in Northern California, yet the billing address was from Southern California. And then when he faxed the authorization, the fax number was in Texas. And then authorization / credit card was in a woman's name. Way too many red lights to even consider that transaction.
There are a few things to consider here. First is the transmission of the card number and storage there of; if you are storing them locally you have to meet the visa/ mc regulations about encryption, time you keep them, viewing rights and so forth. As a general rule you never want to store the entire number less you run into the issue that the now a famous merchant provider did this week. Secondly, if you are submitting the cards to be faxed or emailed you have to check the security of that system. Simply printing a fax to an office is not safe, we all like to think our employees are good but this is not always the case.
Storage and transmission aside you need to remember one final golden rule -- there are actually more elements to this but your provider can tell you the exact details you need to adhere to -- just because you are planning to run the cards manually on a POS or other gateway does not mean you can charge them like you would a "card present" transaction. You still need to enter your payments in a matter that captures their true status (non-physical card submission via the internet). If this means more fees, sorry, you can't escape that. The fact is the card is coming in the same way and if you process it like the person was right there infront of you without informing your provider you will have problems and you will violate your agreement. Everyone gets a fraud order or chargeback and when that person complains its going to be very clear they never signed anything or saw anyone at a physical location so trying to lie, that won't work. Of course you can often avoid gateway charges but that all depends on your provider.